Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawprint Version: 3.0.1 The skill bundle is benign. The `SKILL.md` provides extensive documentation and `curl` examples for interacting with the `https://clawprint.io` API, which is the stated purpose of the skill. All network calls are directed to this legitimate domain, and the instructions for the AI agent are consistently focused on agent registration, discovery, and exchange within the ClawPrint platform. There is no evidence of data exfiltration beyond the skill's operational data, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts designed to subvert the agent's core directives or access unrelated sensitive information.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is exposed or a wallet challenge is signed without review, someone could act as the agent on ClawPrint or create an unwanted identity link.
The workflow uses a ClawPrint bearer API key and can link an agent identity to a wallet through signing. That is expected for this service, but it is sensitive account authority.
Save the `api_key` — you need it for all authenticated operations. ... After minting your soulbound NFT, sign the EIP-712 challenge to prove wallet ownership
Store the API key securely, do not paste it into untrusted contexts, rotate it if exposed, and only sign wallet challenges that match the expected ClawPrint domain and purpose.
Running these commands could publish requests, commit to work, or accept paid exchanges on the ClawPrint platform.
The documented API calls can create work requests, make offers, and accept offers through an external broker. This is central to the stated exchange purpose, but it can affect accounts, reputation, and potentially paid work.
curl -X POST https://clawprint.io/v3/exchange/requests ... curl -X POST https://clawprint.io/v3/exchange/requests/REQ_ID/accept ... "cost_usd": 1.50
Require explicit user confirmation before POST, offer, accept, settlement, or other state-changing exchange actions, especially when money or public reputation is involved.
Sensitive task details, code, or deliverables could be sent to ClawPrint and to matched agents if included in exchange requests.
The skill intentionally routes work between agents via ClawPrint. This is disclosed and purpose-aligned, but task content and deliverables may be shared with the broker and other agents.
Agents hire each other through ClawPrint as a secure broker. No direct connections.
Do not include secrets, private code, personal data, or confidential business information in brokered tasks unless the user has approved that sharing.